What is the statement of applicability for ISO 27001?

When researching what you need for the ISO 27001 certification, you may have stumbled upon the term ‘statement of applicability’.

Confused? Don’t worry. We’ve done the hard work for you – here’s what the ISO 27001 statement of applicability is and why it’s important.

What is the statement of applicability for ISO 27001?

The statement of applicability is part of the risk assessment and Information Security Management System (ISMS) component of ISO/IEC 27001. It’s a framework of policies surrounding the legality, physicality, and technicality of your cyber security systems.

Completion of the statement of applicability (SoA) is a requirement of the ISO/IEC: a document you must develop, prepare and submit as part of your steps toward best practice regarding your data management systems.

What controls must you implement in the statement of applicability for ISO 27001?

There are no exact rules for developing your SoA as ISO 27001 recognises that details of cyber security are unique to your business’ requirements. However you must include:

• An explanation of the elements of the security controls you’ve chosen to mitigate risks, and a justification for why you’ve included them. These are decided through performing a gap analysis and risk assessment in the starting stages of your ISO/IEC 27001 implementation.
• If you’ve excluded any part of ISO/IEC 27001’s Annex A, which is a list of 114 control objectives and explanations of what they are, what they do, and why.

Why is the statement of applicability for ISO 27001 important?

• Your SoA is your roadmap to smooth and effective ISO 27001 implementation and operation. It’s a comprehensive document that identifies and categorises elements of your information security measures by product and department as well as a host of other criteria.
• In ISO certifications, documentary evidence is crucial. Your SoA provides physical proof to your auditor that you have taken the necessary steps to achieve your ISO 27001 certification.
• Your SoA assists in the continual improvement of your digital security as it gives you a framework to be able to compare what’s working and what’s not. It will then give you scope in which to update.
• If a data breach occurs, the controls you put into place will be justified. Your compliance will be proven, giving you confidence in your next steps.

Want to know more about the statement of applicability for ISO 27001?

If you’re looking for advice on ISO/IEC 27001, our experts are happy to answer any further questions you have. You can read our frequently asked questions about the ISO 27001 or get in touch with us to learn more on how to get ISO 27001 certified!